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DETAILED ACTION 
Response to Arguments 

1. Applicant argues, "Claim 1 recites, in part, 'generating a first hash for transmission to the 
device, the first hash generated using a secret obtained from a user, the first public key, the 
second public key and a random number generated from the tunnel protocol.' In contrast, 
Peyravian does not describe obtaining the password from a user because, in Peyravian, the server 
and the user know the common password a priori ." This argument is not persuasive because the 
claims do not require the secret to be transmitted to the device, only the first hash. Therefore, the 
Tact that the server already knows the password is irrelevant. 

2. Applicant argues, "the cited portions of Peyravian (See, Peyravian, [0038]), [0040]) do 
not describe that the random number is generated from the tunnel protocol ." This argument is not 
persuasive because the claims do not specify exactly how the random number is generated and 
how the claimed tunnel protocol is involved in the generation procedure except for the broad 
recitation of "generated from the tunnel protocol." For the purposes of examination the claim 
limitation has been interpreted using a broad but reasonable interpretation which would cover 
generating the random numbers for use with a tunneUng protocol, which is shown by Peyravian 
(Abstract & [0016] & [0038] & [0040]). 

3. Applicant argues, "the secret, PW, is not obtained from a user because Peyravian 
describes that the server and the client already possess the secret. In contrast, as claimed, a secret 
is obtained from a user to generate a first hash. Thus, 'secret, PW,' as taught by Peyravian is not 
equivalent to 'the second secret,' as claimed." This argument is not persuasive because if the first 
secret and the second secret are different then the first hash and the second hash will never 
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match, which would render Applicant's invention useless. It is clear that the first and second 
secrets are intended to be the same secret, otherwise it would be completely pointless to use them 
to generate hashes that are being compared for authentication purposes. 

4. Applicant argues, "Since the server is already in possession of the password, the server 
certainly does not receive the password from the client." This argument is not persuasive because 
the claims do not require the device to "receive the password from the client." 

Claim Rejections - 35 USC § 102 

5. The following is a quotation of the appropriate paragraphs of 35 U.S. C. 1 02 that form the 
, basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 

in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

6. Claims 1,2, 13, 14, 25, 26 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Peyravian, U.S. Publication No. 2004/0158715. Referring to claims 1, 13, 25, Peyravian 
discloses an authentication system between parties communicating over a SSL tunnel (Abstract 
& [0016]), which meets the limitation of establishing a tunnel between an authenticator in the 
network and a device, the tunnel using a tunnel protocol. The communicating parties include a 
client and server wherein each have a public/private key pair ([0023] & [0025]) and a shared 
secret ([0022]), which meets the limitation of the authenticator having a first public key, the 
device having a second secret and a second public key. The client concatenates the public key of 
the client, the public key of the server, and a random number ([0038] & [0040]), which is then 
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hashed by the client and transmitted to the server ([0040]), which meets the limitation of 
generating a first hash for transmission to the device, the first hash generated using a secret 
obtained from a user, the first public key, the second public key and a random number generated 
from the tunnel protocol. The server receives the hash that is generated by the client, generates a 
second hash for comparison with the hash received from the client ([0041]), which meets the 
limitation of comparing the first hash with a second hash, wherein the second hash is generated 
at the device. If the hashes match, the server has authenticated the client for communications 
with the server ([0041]-[0042]), which meets the limitation of upon determining that the first 
hash matches the second hash, establishing an authenticated session between the device and the 
authenticator. 

Referring to claims 2, 14, 26, Peyravian discloses that the second hash is generated by 
concatenating the public key of the client, the public key of the server, the shared secret, and the 
random number ([0038] & [0041]), which is then hashed [0041]), which meets the limitation of 
generating the second hash at the device using the first public key, the second public key, the 
second secret, and the random number generated fi-om the tunnel protocol. 

Claim Rejections - 35 USC §103 
7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 



Application/Control Number: Page 5 

10/678,745 

Art Unit: 2132 

8. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 
(1966), that are applied for establishing a background for determining obviousness under 35 
U.S.C. 103(a) are summarized as follows: 

1. Determining the scope arid contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating obviousness 
or nonobviousness. 

9. Claims 6, 7, 10, 18, 19, 22, 30, 31, 34, 40 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Peyravian, U.S. Publication No. 2004/0158715. Referring to claims 6, 7, 18, 
19, 30, 31, Peyravian discloses that if the hashes match, the server has authenticated the client for 
communications with the server ([0041]-[0042]), which meets the Hmitation of determining if a 
hash value of the second public key matches a hash value obtained from the device. A secret is 
shared between the two parties ([0022]), which meets the limitation of receiving the secret 
obtained from the user. Peyravian does not disclose that the client or server include a display for 
displaying the hashes and shared secret. However, it would have been obvious to one of ordinary 
skill in the art at the time the invention was made to improve the client machines and server 
machines of Peyravian by adding displays to the respective machines, which would allow 
viewing of data on the machines. One of ordinary skill in the art would have capable of applying 
a display to the client/server machines and such an application would have predictable provided 

a means of viewing data resident on the machines. 

Referring to claims 10, 22, 34, Peyravian discloses that the password is transmitted such 
that it need be manually entered into the respective machine ([0033]), which meets the limitation 
of enabling the user to provide the secret. Peyravian does not disclose that the client or server 
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include a display for displaying the hashes and shared secret. However, it would have been 
obvious to one of ordinary skill in the art at the time the invention was made to improve the 
client machines and server machines of Peyravian by adding displays to the respective machines, 
which would allow viewing of data on the machines. One of ordinary skill in the art would have 
capable of applying a display to the client/server machines and such an application would have 
predictable provided a means of viewing data resident on the machines. 

Referring to claim 40, Peyravian discloses an authentication system between parties 
communicating over a SSL tunnel (Abstract & [0016]), which meets the limitation of 
establishing a tunnel between an authenticator in the network and a device, the tunnel using a 
tunnel protocol. The communicating parties include a client and server wherein each have a 
public/private key pair ([0023] & [0025]) and a shared secret ([0022]), which meets the 
limitation of the authenticator having a first public key, the device having a second secret and a 
second public key. The client concatenates the public key of the client, the public key of the 
server, and a random number ([0038] & [0040]), which is then hashed by the client and 
transmitted to the server ([0040]), which meets the limitation of generating a first hash for 
transmission to the device, the first hash generated using a secret obtained from a user, the first 
public key, the second public key and a random number generated from the tunnel protocol. The 
server receives the hash that is generated by the client, generates a second hash for comparison 
with the hash received from the client ([0041]), which meets the limitation of comparing the first 
hash with a second hash, wherein the second hash is generated at the device. If the hashes match, 
the server has authenticated the client for communications with the server ([0041]-[0042]), 
which meets the limitation of upon determining that the first hash matches the second hash, 
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establishing an authenticated session between the device and the authenticator. The client and 
server are machines ([.0016]), which meets the limitation of memory, a processor configured to 
connect the product to a secure network. Peyravian does not disclose that the client or server 
include a display for displaying the hashes and shared secret. However, it would have been 
obvious to one of ordinary skill in the art at the time the invention was made to improve the 
client machines and server machines of Peyravian by adding displays to the respective machines, 
which would allow viewing of data on the machines. One of ordinary skill in the art would have 
capable of applying.a display to the client/server machines and such an application would have 
predictable provided a means of viewing data resident on the machines. 
10. Claims 3-5, 11, 12, 15-17, 23, 24, 27-29, 35; 36 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Peyravian, U.S. Publipation No. 2004/0158715, in view of Schneier. 
Referring to claims 3, 15, 27, Peyravian discloses an authentication system between parties 
wherein hashes are calculated, and compared for the purposes of authentication ([0038]-[0042]). 
Peyravian does not disclose that the hashes are included in a message that is encrypted with the 
public key of the receiver. However, it would have been obvious to one of ordinary skill in the 
art at the time the invention was made to include the generated hashes in a message that is 
encrypted for transmission to a receiver using the public key of the receiver in order to provide a 
means of privacy for the communications that is lacking without encryption as taught by 
Schneier (Pages 39 & 41). 

Referring to claims 4, 16, 28, Peyravian discloses an authentication system between 
parties wherein hashes are calculated, and compared for the purposes of authentication ([0038]- • 
[0042]). Peyravian does not disclose that the hashes are included in a message, digitally signed. 
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and encrypted with the public key of the receiver. Schneier discloses encrypting a hash with the 
private key of the sender to create a digital signature (Page 38), including the hash in a message, 
which is encrypted with the public key of the receiver for transmission (Page 38 & 41), which 
meets the limitation of signing the message with the first private key to generate a digital 
signature. It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to include the generated hashes in a message that is digitally signed and encrypted for 
'transmission to a receiver using the public key of the receiver in order to provide a means of 
privacy for the communications that is lacking without encryption, along with providing a means 
for authenticating the message as taught by Schneier (Pages 39 & 41). 

Referring to claims 5, 17, 29, Peyravian discloses an authentication system between 
parties wherein hashes are calculated, and compared for the purposes of authentication ([0038]- 
[0042]). Peyravian does not disclose that the hashes are included in a message, digitally signed, 
and encrypted with the public key of the receiver. Schneier discloses encrypting a hash with the 
private key of the sender to create a digital signature (Page 38), including the hash in a message, 
which is encrypted with the public key of the receiver for transmission (Page 38 & 41). Upon 
receipt by the receiver, the message is decrypted using the private key of the receiver, and the 
digital signature is verified using the public key of the sender (Page 41), which meets the 
limitation of checking the digital signature using a first public key, and decrypting the message 
using the second private key. It would have been obvious to one of ordinary skill in the art at the 
time the invention was made to include the generated hashes in a message that is digitally signed 
and encrypted for transmission to a receiver using the public key of the receiver in order to 
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provide a means of privacy for the communications that is lacking without encryption, along 
with providing a means for authenticating the message as taught by Schneier (Pages 39 & 41). 

Referring to claims 1 1, 12, 23, 24, 35, 36, Peyravian does not disclose 
determining/placing whether a public key is on a credential list. Schneier discloses utilizing a 
certificate authority list to store information about public keys (Page 186), which meets the 
limitation of determining if the second public key is on the first credential list, determining if the 
first public key is on the second credential list, placing the first public key in the second 
credential list, and placing the second public key in the first credential list. It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to utilizing a 
certification authority certificate list in Peyravian in order to determine which public keys have 
expired or been compromised as taught by Schneier (Page 186). 

11. Claims 41-44 are rejected under 35 U.S.C. 103(a) as being unpatentable over Peyravian, 
U.S. Publication No. 2004/0158715, in view of Palekar, U.S. Publication No. 2003/0226017. 
Referring to claims 41-44, Peyravian does not specify any specific type of client/server 
machines. However, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to implement the client/server machines of Peyravian using one of the finite 
number of embodiments used in the similar system of Palekar ([0031]) because use of any one of 
the finite number of machines described in Palekar as the machines in Peyravian would not 
effect the solution to the problem solved in Peyravian. 

Conclusion 

12. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

13. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Benjamin E. Lanier whose telephone number is 571-272-3805. 
The examiner can normally be reached on M-Th 6:00am-4:30pm. 

If attempts to reach the examiner by telephone are unsuccessftil, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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